Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] Report of the Soft Landing isuue

Owen DeLong owen at delong.com
Thu Apr 20 18:31:13 UTC 2017


> On Apr 7, 2017, at 09:50 , Noah <noah at neo.co.tz> wrote:
> 
> 
> 
> On 7 Apr 2017 7:36 p.m., "Willy MANGA" <willy.manga at auf.org <mailto:willy.manga at auf.org>> wrote:
> Hello Alain,
> my intention was not to insult IPv4 fans .
> 
> I put on the other hand all the amazing work AFRINIC training team is
> doing and I am sometimes disapointed when I see no v6 traffic after one
> year from many sites especially universities. They should not be
> concerned by v4 stuff in my humble opinion ..
> 
> 
> Most believe NAT protects them while IPv6 exposes them (so they are reluctant to deploy IPv6 at a client level) and you wonder why they still pay for anti-virus software for their clients that seat behind NAT.

I would like to sell a certain famous New York bridge to anyone who believes that NAT offers protection.

Stateful inspection offers protection (to some limited extent).
You cannot unmangle packet headers without Stateful inspection, so if you have NAT (of the form perceived as protection), you have stateful inspection.
Unfortunately, we have an entire generation of network and systems people who grew up assuming that NAT was a normal condition rather than the disease that it represents. Many of them were never taught about stateful inspection or the difference between or separation of stateful inspection from NAT and take for granted that they are one and the same. This simply isn’t accurate.

A public IPv4 or IPv6 address behind a stateful inspection firewall has exactly the same risks and safety as a translated (AKA private) address behind a stateful inspection coned NAT. A 1:1 stateless NAT offers exactly the same protections as a public address without a NAT (i.e. none whatsoever).

In fact, IPv4/NAT as currently widely deployed is harmful to security in that it not only offers no protection, but it obfuscates and complicates the process of identifying abusers and auditing activity on the network.

> AFRINIC IPv6 trainings need to debunk the belief that IPv4/NAT offers some sort of security to clients at the LAN level while delivering their trainings to most of this network/systems engineers.

At least to the extent that I have observed said training and in my discussions with Tamon, I believe this already occurs. If you believe it does not, I suggest you discuss directly with Tamon.

Owen

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20170420/0a12b941/attachment.html>


More information about the RPD mailing list